Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

classic Classic list List threaded Threaded
83 messages Options
12345
Reply | Threaded
Open this post in threaded view
|

Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

drhy
This post was updated on .
This step-by-step for Linux newbies builds a vanilla Guacamole 1.0.0, developed by a very newbie who needed it.
With thanks to too many to specifically name.
The Guacamole config and properties files that I provide are subject to the Apache License found on the Apache Guacamole site.

This First Post is regularly edited to incorporate updates, feedback and corrections,
but please compare its "Updated" Date-time with that of the Last Post.

I wanted a single OS that, for someone coming from Windows, would be easier to configure, secure and debug than an OS plus three docker containers.
It builds the default XML file authentication provider, with the option to instead use the MySQL provider,
or the option of the Radius Authentication provider used with MySQL.

The default provider is only really suitable for very small numbers of users and connections.
MySQL (one of the three database providers) provides scalability and easier administration.
The Radius Authentication Provider permits integration into many types of RADIUS server,
including Microsoft's Azure MFA environment via a Windows Network Policy Server.

Guacamole's new Group feature only works if users in a Group are also Guacamole administrators.
So not yet useful - the problem is expected to be resolved in the next release.

The CentOS Linux OS can be installed on a number of different computers including virtual machines.
I've most recently used Windows Server Standard 2019 Hyper-V.

The attached setup instructions will specifically install and configure the following:
CentOS Linux, Minimal ISO, release 7.6.1810 (Core)
OpenSSL  1.1.1d - which includes support for the faster and more secure TLS version 1.3
Tomcat 9 - which includes support for the much faster http/2
MySQL 8 (if using the JDBC/MySQL Plugin)
An upgraded gcc compiler, version: 7.3

The most useful tool I have found for working across Windows and Linux is WinSCP from: https://winscp.net/eng/download.php
It includes Putty, and under its Preferences, you can select "Windows Explorer" UI, or remain with the "Commander" UI.


Here are the steps and config I've used....

Use a Hyper-V MMC console to connect to a Windows 2016 or 2019 Hyper-V server and create a "Guacamole" VM:
   Configure Generation 2, 40GB VHDX, Dynamic Memory, Startup= 2GB, Low= 512MB, High= 8GB, 2 CPUs, SecureBoot= Microsoft UEFI Certificate Authority
   Integration Services= all, Production checkpoints, Automatic Start Action= Always, Automatic Stop Action= Shutdown
   DVD= CentOS previously downloaded from:  http://isoredirect.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Minimal-1810.iso

Or, using Powershell 5.1:
$VmName = "<GuacamoleVM Name>"
$Location = "<Path of folder to contain all VM files>"
$BootDVD ="<Path to CentOS-7-x86_64-Minimal-1810.iso>"
New-VM -Name $VmName -Generation 2 -Path $Location -MemoryStartupBytes 2GB -NewVHDPath "$VmName.VHDX" -NewVHDSizeBytes 40GB -SwitchName (Get-VMSwitch)[0].Name
Add-VMDvdDrive -VMName $VmName -Path $BootDVD
Set-VM $VmName -ProcessorCount 2 -DynamicMemory -MemoryStartupBytes 2GB -MemoryMinimumBytes 512MB -MemoryMaximumBytes 8GB
Set-VMFirmware $VmName -BootOrder (Get-VMDvdDrive $VmName),(Get-VMHardDiskDrive $VmName) -SecureBootTemplate "MicrosoftUEFICertificateAuthority" -EnableSecureBoot On
Enable-VMIntegrationService -VMName $VmName -Name "Shutdown","VSS","Heartbeat","Guest Service Interface","Key-Value Pair Exchange","Time Synchronization"


Using the Hyper-V MMC's "Connect" command/window, connect to the new VM's CentOS boot screen and initiate the normal boot option (not test OS).
In the CentOS start-up GUI:
Setup a password for UserID=root, but no other userID is required at this stage

Host Name= guacamole.yourdomain.com (computername pre-pended to the name of your domain)
Static/Manual IP Addressing
IPv4=172.16.25.1 (For example. Same subnet as the computer's LAN), DNS, Gateway, Search Domains
IPv6=11:22:33:401::25 (similar to IPv4 but optional)
"Automatically Connect on boot", and if visible, "Available to All Users"

Once the CentOS start-up GUI has commpleted, click the CentOS button to "Reboot".
Then using WinSCP, logon to your VM by specifying your IP Address, UserID=root and password.

Note that all the Linux commands in the attached files are single line, except for "echo" which can often be multi-line - note the start and end quotes.

To setup a simple Guacamole server:
Base_Guacamole_setup.txt

To use a MySQL database for more functionality and to scale:
Setup_MySQL_database_provider.txt
Sample RDP Connection configured using the Guacamole Web GUI:
Sample_RDP_Connection_Config.txt

To use Radius for authentication, allowing the use of Active Directory, and Azure Multi-Factor Authentication, while still using MySQL as a connection repository:
Setup_Radius_Authentication.txt
NPS_configuration_for_Guacamole_and_Azure_MFA_service.pdf

Locking down external communications by only using https on the default port 443:
Setup_https.txt

Other sundry CentOS commands I found useful:
Sundry_commands.txt

A great thread on this Mailing List for tweaking Guacamole performance:
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/Guacamole-System-Resource-requirements-for-better-performance-td5996.html

And useful tips from Mike Jumper for resource requirements:


(If you configured your Guacamole server guided by the earlier Guacamole-1.0.0/Tomcat-8.5 version of this post then updated guidance for http/2 and TLSv1.3 is in:
http_and_tls_update.txt )

-David
Reply | Threaded
Open this post in threaded view
|

Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

PlayerOne
great work! I need Azure MFA with Guacd so I'll be testing this out. Will
provide feedback when I do.

One question, how did you confirm radius wont work with groups? Can I ask
what you tried?



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

Robert Dinse

      The people who have this working, what operating system(s) are you
running it on?

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
  Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
    Knowledgeable human assistance, not telephone trees or script readers.
  See our web site: http://www.eskimo.com/ (206) 812-0051 or (800) 246-6874.

On Tue, 19 Feb 2019, PlayerOne wrote:

> Date: Tue, 19 Feb 2019 23:03:55 -0600 (CST)
> From: PlayerOne <[hidden email]>
> Reply-To: [hidden email]
> To: [hidden email]
> Subject: Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux
>     newbies
>
> great work! I need Azure MFA with Guacd so I'll be testing this out. Will
> provide feedback when I do.
>
> One question, how did you confirm radius wont work with groups? Can I ask
> what you tried?
>
>
>
> --
> Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
>
Reply | Threaded
Open this post in threaded view
|

Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

drhy
This post was updated on .
In reply to this post by PlayerOne
vnick, a significant contributor to the Radius provider, has recently pointed out that the issue is probably related to https://issues.apache.org/jira/browse/GUACAMOLE-696

After your prompting, and a after a careful re-read of vnick's postings and the JIRA I now realize that if
both the username and and MySQL Group name exist in Active Directory, the user is member of the Group in both places, and the password is correct, then the user will be presented with the MySQL Group's Connections.
I've tested the setup and Groups work.
Thanks.

I have now corrected my original post and the attachment.
Both Powershell directly attaching all existing connections to a new user, and alternatively, Powershell attaching a new user to a valid AD and Guacamole Group are scripted.

Good luck and I look forward to seeing your results.

-David
Reply | Threaded
Open this post in threaded view
|

Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

vnick
In reply to this post by Robert Dinse


On Wed, Feb 20, 2019 at 12:11 AM Robert Dinse <[hidden email]> wrote:

      The people who have this working, what operating system(s) are you
running it on?


I generally use CentOS7 for my Guacamole testing/development and production environments.  I've tested some with Ubuntu 16.x for some of the JIRA issues that have popped up.  Don't think I've done anything with Ubuntu 18.x, yet.

Regards,
Nick 
Reply | Threaded
Open this post in threaded view
|

Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

Kamal Ezzaki
Centos 7 For Guacamole 
Freeradius Ubuntu 18 
Reply | Threaded
Open this post in threaded view
|

Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

Kamal Ezzaki
it's not an issue i think it's just something i must do with the configuration because my guacamole check first the database than go to radius , but i want guacamole to check users in radius, if the user existe than he complete with the database , if not PRINT incorrect  
Reply | Threaded
Open this post in threaded view
|

Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

drhy
Hi,
If you look at the script you'll see that it changes the name of the
Authentication Providers slightly. The Providers are loaded and executed by
Guacamole in alphanumeric sequence, so renaming is needed to ensure Radius
is loaded before MySQL.
-David



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

PlayerOne
In reply to this post by Robert Dinse
I'm currently installing this on CentOS 7, the latest download available.



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

PlayerOne
In reply to this post by drhy
Thank you David, I did actually catch that in the other thread, but thank you
again for keeping things neat and tidy by updating your posts here. It's
unbelievably annoying coming across those kind of dead end threads!




--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

vnick
In reply to this post by drhy
On Wed, Feb 20, 2019 at 3:44 PM drhy <[hidden email]> wrote:
Hi,
If you look at the script you'll see that it changes the name of the
Authentication Providers slightly. The Providers are loaded and executed by
Guacamole in alphanumeric sequence, so renaming is needed to ensure Radius
is loaded before MySQL.
-David


Yes, because of how modules are loaded and how authentication errors are handled, if you're using RADIUS to do 2-Factor authentication (Challenge/Response), you'll need to make sure that module is loaded and evaluated, first, so that authentication succeeds before the JDBC module is queried.  You should still be able to assign permissions from the JDBC module to RADIUS-authenticated users.

-Nick 
Reply | Threaded
Open this post in threaded view
|

Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

PlayerOne
In reply to this post by drhy
David, I'm at the point in your guide where I've just rebooted after
permitting java to listen on privileged ports. Tomcat seems to not want to
start now, I get this error:

root@GUACA01/opt systemctl status tomcat.service
● tomcat.service - Apache Tomcat Web Application Container
   Loaded: loaded (/etc/systemd/system/tomcat.service; enabled; vendor
preset: disabled)
   Active: activating (auto-restart) (Result: exit-code) since Thu
2019-02-21 02:34:56 GMT; 8s ago
  Process: 29904 ExecStop=/opt/tomcat/latest/bin/shutdown.sh (code=exited,
status=1/FAILURE)
  Process: 29893 ExecStart=/opt/tomcat/latest/bin/startup.sh (code=exited,
status=0/SUCCESS)
 Main PID: 29901 (code=exited, status=127)

Feb 21 02:34:56 AKGUACA01.group.abercrombiekent.local systemd[1]: Unit
tomcat.service entered failed state.
Feb 21 02:34:56 AKGUACA01.group.abercrombiekent.local systemd[1]:
tomcat.service failed.
root@AKGUACA01/opt


I've followed every step in your guide except for firewall cmd's, just
because I don't need to do that yet.



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

PlayerOne
I managed to fix it, although it did run this command with no errors
'./configure
--with-java-home=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/'
didn't apply the java-home. I manually updated it in
/etc/systemd/system/tomcat.service and now tomcat starts ok.



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

drhy
This post was updated on .
Hi PlayerOne,

Bearing in mind how new to Linux I am, it'll either be me omitting a command form the post.
Or it might be that the following line didn't get executed:

echo
'/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre/lib/amd64/jli'
>> /etc/ld.so.conf.d/java.conf

Look in the file: /etc/ld.so.conf
Is should contain just one line: include ld.so.conf.d/*.conf
Then check inside the file: /etc/ld.so.conf.d/java.conf
It should also contain just one line:
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre/lib/amd64/jli

In the file: /etc/systemd/system/tomcat.service
did you solve your problem by amending the JAVA_HOME line to:
Environment="JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/"
?

Thanks for the update.

-David



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

PlayerOne
Hi David, Yes I did that's right. I've come across another problem, I hope
you can help. I've built a VM twice now on the Maven step thinking I may
have done something wrong, just a base CentOS 7 install. I've run the maven
commands and both times come up with this error.

[INFO]
------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO]
[INFO] guacamole-common .................................. FAILURE [13.733s]
[INFO] guacamole-ext ..................................... SKIPPED
[INFO] guacamole-common-js ............................... SKIPPED
[INFO] guacamole ......................................... SKIPPED
[INFO] guacamole-auth-cas ................................ SKIPPED
[INFO] guacamole-auth-duo ................................ SKIPPED
[INFO] guacamole-auth-header ............................. SKIPPED
[INFO] guacamole-auth-jdbc ............................... SKIPPED
[INFO] guacamole-auth-jdbc-base .......................... SKIPPED
[INFO] guacamole-auth-jdbc-mysql ......................... SKIPPED
[INFO] guacamole-auth-jdbc-postgresql .................... SKIPPED
[INFO] guacamole-auth-jdbc-sqlserver ..................... SKIPPED
[INFO] guacamole-auth-jdbc-dist .......................... SKIPPED
[INFO] guacamole-auth-ldap ............................... SKIPPED
[INFO] guacamole-auth-openid ............................. SKIPPED
[INFO] guacamole-auth-quickconnect ....................... SKIPPED
[INFO] guacamole-auth-totp ............................... SKIPPED
[INFO] guacamole-example ................................. SKIPPED
[INFO] guacamole-playback-example ........................ SKIPPED
[INFO] guacamole-auth-radius ............................. SKIPPED
[INFO] guacamole-client .................................. SKIPPED
[INFO]
------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO]
------------------------------------------------------------------------
[INFO] Total time: 14.099s
[INFO] Finished at: Thu Feb 21 04:42:10 GMT 2019
[INFO] Final Memory: 19M/309M
[INFO]
------------------------------------------------------------------------
[ERROR] Failed to execute goal
org.apache.maven.plugins:maven-surefire-plugin:3.                                                                            
0.0-M1:test (default-test) on project guacamole-common: Execution
default-test o                                                                            
f goal org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M1:test failed:
Unab                                                                            
le to load the mojo 'test' (or one of its required components) from the
plugin '                                                                            
org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M1':
com.google.inject.Prov                                                                            
isionException: Guice provision errors:
[ERROR]
[ERROR] 1) No implementation for
org.codehaus.plexus.languages.java.jpms.Locatio                                                                            
nManager was bound.
[ERROR] while locating org.apache.maven.plugin.surefire.SurefirePlugin
[ERROR] at
ClassRealm[plugin>org.apache.maven.plugins:maven-surefire-plugin:3.0.                                                                            
0-M1, parent: sun.misc.Launcher$AppClassLoader@7852e922]
[ERROR] while locating org.apache.maven.plugin.Mojo annotated with
@com.google.i                                                                            
nject.name.Named(value=org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M1:t                                                                            
est)
[ERROR]
[ERROR] 1 error
[ERROR] role: org.apache.maven.plugin.Mojo
[ERROR] roleHint:
org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M1:test
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e
swit                                                                            
ch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please
rea                                                                            
d the following articles:
[ERROR] [Help 1]
http://cwiki.apache.org/confluence/display/MAVEN/PluginContaine                                                                           
rException
[root@maven guacamole-client-1.0.0]#




--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

drhy
Hi PlayerOne,

It looks like the surefire plugin being downloaded has been corrupted on
their web site. Must have just happened.
You need to bypass testing.
Try: mvn install -DskipTests
If that doesn't work then go through each pom.xml in the expanded tarball
and comment out the use of the surefire plugin, then run again: mvn package
-Plgpl-extensions

Referring to my previous reply, did file: /etc/ld.so.conf.d/java.conf
contain the one line ?
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre/lib/amd64/jli

Thanks

-David



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

PlayerOne
Hi David, yes it does contain that line.

I tried the skiptests but that also failed. I'll start working my way
through these files. Thanks for the help.



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

PlayerOne
In reply to this post by drhy
Ok that all went well, I just need to do the Windows MFA/Radius side now. I
see your notes in your file, could you elaborate a little more on what needs
to be done please? Is this where I need to match AD User/Group Objects with
the User/Group objects in MySql?



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

drhy
In reply to this post by PlayerOne
Hi PlayerOne,

I've created the replacement pom.xml files.
Copy the attached surefirefix.zip file to the root (/) of your CentOS volume
cd /
unzip surefirefix.zip

It should overwrite the affected pom.xml files in
/root/guacamole-client-1.0.0/
Run maven per the command in my first post.

Let me know how its going.

-David

surefirefix.zip
<http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t833/surefirefix.zip>  



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Guacamole 1.0.0 with Radius and MySQL: Step-by-step for Linux newbies

PlayerOne
Thank you David! Reposting this below in case you missed it above.

"Ok that all went well, I just need to do the Windows MFA/Radius side now. I
see your notes in your file, could you elaborate a little more on what needs
to be done please? Is this where I need to match AD User/Group Objects with
the User/Group objects in MySql?"





--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
12345